What do you think?
Rate this book
Information Security Governance: Guidance For Boards Of Directors And Executive Management
To achieve effectiveness and sustainability in today s complex, interconnected world, information security must be addressed at the highest levels of the organization, not regarded as a technical specialty relegated to the IT department
Organizations today face a global revolution in governance that directly affects their information management practices. Following the high-profile organizational failures of the past decade, legislatures, statutory authorities and regulators have created a complex array of new laws designed to force improvement in organizational governance, security, controls and transparency. Coupled with previous laws in these areas and information retention and privacy, these new laws and regulations, together with significant threats of information system disruptions from hackers, worm, virus perpetrators and terrorists create an unprecedented need for a governance approach to information management.
Information Security Governance: Guidance for Boards of Directors and Executive Management, first published in 2002, has been updated to reflect the changes in the environment, and to include many ideas and outcomes of those organizations that embrace good Information Security Governance.
This guide covers such issues as:
What is information security governance? Why is information security important? Who should be concerned with information security governance? What should information security governance deliver? What can be done to successfully implement information security governance?49 pages, ebook
First published January 1, 2002
16 people want to read
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 2 of 2 reviews
May 19, 2015
This is a dry, abstract, carefully worded and somewhat dated whitepaper introduction to information security governance written for members of boards of directors. As the paper puts it, such boards should provide strategic oversight regarding not just information security within IT, but within the enterprise, thus they should:
The paper is almost ten years old, which is a long time indeed for an area which has been evolving quickly to try and keep up with ever more dangerous and ingenious security threats and attacks. Privacy is treated far too lightly, and almost dismissed as more of a European worry than a US one and assurance and compliance are barely mentioned. The paper refers to COBIT-4, but the current version of COBIT is 5, which has added a lot on information security topics. Take a look at the paper, by all means, but don´t stop here.
1. Understand the criticality of information and information security to the organisation;Therefore it stresses that the five basic outcomes of information strategy security governance should include:
2. Review investment in information security for alignment with the organisation strategy strategy and risk profit;
3. Endorse the development and implementation of a comprehensive information security programme;
4 Require regular reports from management on the programme´s adequacy and effectiveness.
1. Strategic alignment of information security with business strategy to support organisational objectives;So far, so good. The IT Governance Institute is an offshoot of ISACA, so it is not surprising that its guidance fits neatly in ISACA´s Cobit framework. The paper does include some interesting questions for directors and management, but it does not actually come down to earth to wrestle with important how questions.
2. Risk management by executing appropriate measures to manage and mitigate risks and reduce potential impacts on information resources to acceptable levels;
3. Resource management by utilising information security knowledge and infrastructure efficiently and effectively;
4. Performance measurement by measuring, monitorin and reporting information security governance metrics to ensure that organisational objectives are achieved;
5. Value delivery by optimising information security investments in support of organisational objetives.
The paper is almost ten years old, which is a long time indeed for an area which has been evolving quickly to try and keep up with ever more dangerous and ingenious security threats and attacks. Privacy is treated far too lightly, and almost dismissed as more of a European worry than a US one and assurance and compliance are barely mentioned. The paper refers to COBIT-4, but the current version of COBIT is 5, which has added a lot on information security topics. Take a look at the paper, by all means, but don´t stop here.
August 23, 2010
"Information technology (IT) assets must be protected from external and internal activities detrimental to effective and efficient functionality." Through this publication, security professionals will acquire an appreciation for processes associated with ensuring an adequate information security program.
Displaying 1 - 2 of 2 reviews